I haven't been using Pfsense for long and aiming to switch a raft of customers across to it for a bunch of reasons that I'm sure are obvious to all you long time Pfsense users.
Before I even consider rolling this out as the preferred solution, I have a test network which mimics a customer network and setup in everyway. So far I'm really liking Pfsense and have everything up and running by using the Netgate guides which have been great.
In this test environment, I have setup OpenVPN and the remote client can connect without issue, can ping the server on that site (172.31.17.120), access the network shares on that same server and remote print via that server which is also a print server. The issue I have is that when connecting to the CRM software and trying to login, there is an error. The CRM system is installed on the same server that can be pinged and shares accessed. I've tried everything to get this work that I can think of with no joy. I have spoken to the CRM provider and they have said that all user login authentication goes out to the CRM servers managed by them and will only allow users to login if the internet IP Address they're connecting from appears on their whitelist.
For example in this scenario we can assume:
Remote OpenVPN user in a hotel has internet IP address of 123.123.123.123
The site and network the OpenVPN user is connected to has an internet IP address of 124.124.124.124
124.124.124.124 is the internet IP address of the site that has the server (where the CRM is installed)
The CRM cloud systems have 124.124.124.124 on their whitelist so users from that physical site can be authenticated and login
Whitelisting 123.123.123.123 isn't feasible as tomorrow the remote OpenVPN user will be in a different hotel with a different internet IP address.
My question is, how in PfSence can it be configured to present the remote user with the whitelisted IP address of 124.124.124.124 when the address they are connecting from is actually123.123.123.123.
I have tried setting up static routes but this hasn't worked and my gut tells me that this can be managed in the NAT settings and possibly alongside an additional firewall 'pass' rule.
The solution has eluded me and normally I successfully solve everything using just guides and instructions as I find it's the quickest way for me to learn. Not this time however, so I need to lean on this community's knowledge, experience and kindness for sharing their experience and by extension their time. Any suggestions or help would be greatly received.
To recap: In this environment, the remote user could conceivably connect from anywhere in the world so whitelisting specific internet IP addresses naturally isn't feasible.
The remote user must present with the internet IP address of the site that the remote user is connecting to. Essentially, the remote user must appear to have the same IP address of the site and server that the CRM is installed on as this has the whitelisted internet IP address on the CRM provider's systems.
Thank you in advance for any help and advice you can provide.
I.T._Lee
